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Abstract.  In  order  to  study  control  problems  for  hybrid  systems,  we  generalize 
hybrid  automata  to  hybrid  games  — say,  controller  vs.  plant.  If  we  specify  the 
continuous  dynamics  by  constant  lower  and  upper  bounds,  we  obtain  rectangular 
games.  We  show  that  for  rectangular  games  with  objectives  expressed  in  Ltl 
(linear  temporal  logic),  the  winning  states  for  each  player  can  be  computed,  and 
winning  strategies  can  be  synthesized.  Our  result  is  sharp,  as  already  reach¬ 
ability  is  undecidable  for  generalizations  of  rectangular  systems,  and  optimal 
— singly  exponential  in  the  game  structure  and  doubly  exponential  in  the  Ltl 
objective.  We  also  show  how  symbolic  methods,  whose  proof  of  convergence 
depends  on  the  existence  of  certain  finite  quotient  structures  for  hybrid  games, 
can  be  used  to  obtain  more  practical  algorithms  for  solving  many  rectangular 
control  problems.  In  this  way  we  are  able  to  systematically  generalize  the  the¬ 
ory  of  hybrid  systems  from  automata  (single-player  structures)  [Hen96]  to  games 
(multi-player  structures). 


1  Introduction 

A  hybrid  automaton  [ACH+95]  is  a  mathematical  model  for  a  system  with  both  discretely 
and  continuously  evolving  variables,  such  as  a  digital  computer  that  interacts  with  an 
analog  environment.  An  important  special  case  of  a  hybrid  automaton  is  the  rectangular 
automaton  [HKPV98],  where  each  discrete  variable  ranges  over  a  finite  domain,  the  enabling 
condition  for  each  discrete  change  is  a  rectangular  region  of  continuous  states,  and  the  first 
derivative  of  each  continuous  variable  x  is  bounded  by  constants  from  below  and  above;  that 
is,  X  G  [a,  b].  Rectangular  automata  are  important  for  several  reasons.  First,  they  generalize 
timed  automata  [AD94]  (for  which  a  =  b  =  1)  and  naturally  model  real-time  systems  whose 
clocks  have  bounded  drift.  Second,  they  can  over-approximate  with  arbitrary  precision  the 
behavior  of  hybrid  automata  with  general  linear  and  nonlinear  continuous  dynamics,  as 
long  as  all  derivatives  satisfy  the  Lipschitz  condition  [PBV96,  HHWT98].  Third,  they  form 
a  most  general  class  of  hybrid  automata  for  which  the  Ltl  model- checking  problem  can  be 
decided:  given  a  rectangular  automaton  A  and  a  formula  cp  of  linear  temporal  logic  over 

‘This  research  was  supported  in  part  by  the  Defense  Advanced  Research  Projects  Agency  grant  NAG2- 
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the  discrete  states  of  A,  it  can  be  decided  in  polynomial  space  if  all  possible  behaviors  of  A 
satisfy  (p  [HKPV98]. 

Since  hybrid  automata  are  often  used  to  model  digital  controllers  for  analog  plants,  an 
important  problem  for  hybrid  automata  is  the  Ltl  control  problem:  given  a  hybrid  automa¬ 
ton  A  and  an  Ltl  formula  cp,  can  the  behaviors  of  A  be  “controlled”  so  as  to  satisfy  pi 
However,  the  hybrid  automaton  per  se  is  an  inadequate  model  for  studying  this  problem 
because  it  does  not  differentiate  between  the  capabilities  of  its  individual  components  — the 
controller  and  the  plant,  if  you  wish.  Since  the  control  problem  is  naturally  formalized  in 
terms  of  a  two-player^  game,  we  define  hybrid  games.  Because  our  setup  is  intended  to 
be  as  general  as  possible,  we  do  not  distinguish  between  a  “discrete  player”  (which  directs 
discrete  state  changes)  and  a  “continuous  player”  (which  advances  time);  rather,  in  a  hybrid 
game,  each  of  the  two  players  can  itself  act  like  a  hybrid  automaton.  The  game  proceeds  in 
an  infinite  sequence  of  rounds  and  produces  an  w-sequence  of  states.  In  each  round,  both 
players  independently  choose  enabled  moves;  the  pair  of  chosen  moves  either  results  in  a 
discrete  state  change,  or  in  a  passage  of  time.  In  the  special  case  of  a  rectangular  game, 
the  enabling  condition  of  each  move  is  a  rectangular  region  of  continuous  states,  and  when 
time  advances,  then  the  derivative  of  each  continuous  variable  is  governed  by  a  constant 
differential  inclusion.  Now,  the  Ltl  control  problem  for  hybrid  games  asks:  given  a  hybrid 
game  7^  and  an  Ltl  formula  p  over  the  discrete  states  of  TZ,  is  there  a  strategy  for  player- 1 
so  that  all  possible  outcomes  of  the  game  satisfy  pi 

Our  main  result  shows  that  the  Ltl  control  problem  can  be  decided  for  rectangular 
games.  This  question  had  been  open.  Previously,  beyond  the  finite-state  case,  control  prob¬ 
lems  have  been  solved  only  for  timed  games  [HW92,  MPS95,  AMPS98],  and  for  rectangular 
games  under  the  assumption  that  the  controller  can  move  only  at  integer  points  in  time 
[HK97]  (sampling  control).  Control  algorithms  have  also  been  proposed  for  linear  and  non¬ 
linear  hybrid  games  [Won97,  Tom98],  but  in  these  cases  convergence  is  not  guaranteed.  For 
timed  games  and  sampling  controllers,  convergence  is  guaranteed  because  the  underlying 
state  space  can  be  partitioned  into  finitely  many  bisimilarity  classes,  and  the  controller 
does  not  need  to  distinguish  between  bisimilar  states.  Our  result  is,  to  our  knowledge,  the 
first  controllability  result  for  infinite-state  systems  which  does  not  rely  on  the  existence  of 
a  finite  bisimilarity  quotient.  Our  result  is  sharp,  because  the  control  problem  for  a  class  of 
hybrid  games  is  at  least  as  hard  as  the  reachability  problem  for  the  corresponding  class  of 
hybrid  automata,  and  reachability  has  been  proved  undecidable  for  several  minor  extensions 
of  rectangular  automata  [HKPV98].  The  complexity  of  our  algorithm,  which  requires  singly 
exponential  time  in  the  game  TZ  and  doubly  exponential  time  in  the  formula  p,  is  optimal, 
because  control  is  harder  than  model  checking:  reachability  control  over  timed  games  is 
Exptime  hard  [HK97];  Ltl  control  over  finite-state  games  is  2Exptime  hard  [Ros92]. 

Ingredient  1  of  our  approach  to  infinite-state  control:  Finite  quotient  spaces 

For  the  solution  of  infinite-state  mo  del- checking  problems,  such  as  those  of  hybrid  au¬ 
tomata,  it  is  helpful  if  there  exists  a  finite  quotient  space  that  preserves  the  properties 
under  consideration  [Hen96].  Specifically,  every  timed  automaton  is  bisimilar  to  a  finite- 
state  automaton  [AD94];  every  2d  rectangular  automaton  (with  two  continuous  variables)  is 
similar  (simulation  equivalent)  to  a  finite-state  automaton  [HHK95];  and  every  rectangular 
automaton  is  trace  equivalent  to  a  finite-state  automaton  [HHK95].  Since  Ltl  model  check- 

^For  the  sake  of  simplicity,  in  this  abstract  we  restrict  ourselves  to  the  two-player  case.  All  results 
generalize  immediately  to  more  than  two  players. 
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ing  can  be  reduced  to  model  checking  on  the  trace-equivalence  quotient,  the  decidability  of 
Ltl  model  checking  for  rectangular  automata  follows.  The  three  characterizations  are  sharp; 
for  example,  the  similarity  quotient  of  3d  rectangular  automata  can  be  infinite  [HK96],  and 
therefore  the  quotient  approach  does  not  lead  to  branching-time  mo  del- checking  algorithms 
for  rectangular  automata. 

We  show  that  for  appropriate  generalizations  of  the  state  equivalences,  the  results  for 
rectangular  automata  carry  over  to  rectangular  games.  Possible  equivalences  are  alternat¬ 
ing  bisimilarity,  alternating  similarity,  and  alternating  trace  equivalence  [AHKV98].  Specif¬ 
ically,  two  states  p  and  g  of  a  game  are  alternating- 1  trace  equivalent  if  for  every  Ltl 
formula  </?,  player- 1  can  guarantee  an  outcome  that  satisfies  p  from  p  iff  she  can  guaran¬ 
tee  such  an  outcome  from  q.  However,  Ltl  control  cannot  be  reduced  to  controlling  the 
alternating  trace-equivalence  quotient.  This  is  because  in  p  and  q  player- 1  may  have  to 
employ  different  moves  in  order  to  ensure  an  outcome  which  satisfies  p.  Such  a  distinction 
is  lost  if  p  and  q  are  identified,  and  no  controller  can  be  synthesized  on  the  quotient  game. 
We  remedy  this  situation  by  making  the  moves  of  both  players  observable,  so  that  for  two 
states  to  be  equivalent,  the  strategies  to  achieve  a  common  objective  must  match.  The 
resulting  equivalences  on  the  states  of  games,  which  refine  the  alternating  equivalences,  are 
called  game  bisimilarity,  game  similarity,  and  game  trace  equivalence.  We  prove  that  every 
timed  game  is  game  bisimilar  to  a  finite-state  game;  that  every  2d  rectangular  game  is  game 
similar  to  a  finite-state  game;  and  that  every  rectangular  game  is  game  trace  equivalent  to  a 
finite-state  game.  Our  main  theorem,  the  decidability  of  Ltl  control  for  rectangular  games, 
follows. 

Ingredient  2  of  our  approach  to  infinite-state  control:  Symbolic  computation 

The  quotient  approach,  while  giving  decidability  results,  does  not  immediately  suggest 
practical  algorithms.  This  has  several  reasons.  First,  in  order  to  prove  the  existence  of  a 
suitable  finite  quotient  space  for  a  whole  class  of  structures  (such  as  the  class  of  all  rectan¬ 
gular  games),  the  resulting  quotient  is  likely  to  be  unnecessarily  fine  for  any  given  structure 
from  the  class.  Second,  the  explicit  construction  of  a  quotient  structure  by  enumerating 
all  equivalence  classes,  whether  or  not  they  are  relevant  to  the  property  at  hand,  is  likely 
to  be  unnecessarily  expensive.  In  model  checking,  the  symbolic  approach  often  provides  a 
superior  alternative.  For  example,  if  we  want  to  compute  the  states  from  which  a  particular 
target  region  of  a  rectangular  automaton  is  unreachable,  we  need  not  explicitly  construct 
the  finite  trace-equivalence  quotient,  but  only  iterate  a  pre  operator  on  the  target  region 
{pre  of  a  region  R  yields  all  states  that  have  successor  states  in  R)  and  negate  the  result. 
This  method  has  been  implemented  in  the  software  HyTech  [HHWT95].  The  existence  of 
the  finite  trace-equivalence  quotient  is  used  implicitly:  it  guarantees  the  termination  of  the 
pre  iteration. 

We  initiate  a  systematic  generalization  of  the  symbolic  approach  to  games.  For  this 
purpose,  we  replace  the  pre  operator  on  transition  systems  (one-player  structures)  with  the 
uprci  and  upre2  operators  on  games  (two-player  structures):  uprci  of  a  region  R  yields  all 
states  from  which  player- 1  cannot  prevent  the  game  to  enter  a  state  in  R  within  a  single 
step;  that  is,  for  every  move  of  player-1,  player-2  has  a  countermove  so  that  the  next  state 
is  in  R.  Then,  for  example,  by  iterating  the  uprci  operator  on  a  target  region,  we  obtain 
all  states  from  which  player- 1  cannot  avoid  eventual  entry  into  the  target  region.  We  show 
that  for  all  rectangular  games,  the  uprci  iteration  does  indeed  terminate.  In  the  same  spirit, 
we  also  show  how  the  upre  operations,  together  with  boolean  operations  on  state  sets,  can 
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be  used  to  compute  the  alternating  bisimilarity  and  similarity  quotients  of  a  given  game 
structure,  provided  the  desired  quotient  is  finite.  Hence,  for  a  given  rectangular  game,  the 
symbolically  computed  quotient  can  be  used  to  check  which  states  can  be  controlled  for 
which  Ltl  formulas,  and  the  corresponding  controllers  can  be  synthesized  automatically. 

2  Symbolic  Game  Structures 

A  transition  structure  (or  one-player  game  structure)  if  =  {{■)),  Moves,  Enabled,  5) 

consists  of  a  set  Q  of  states,  a  set  H  of  observations,  an  observation  function  {{•)):  Q  — )■  2^ 
which  maps  each  state  to  a  set  of  observations,  a  set  Moves  of  moves,  an  enabling  function 
Enabled:  Moves  — )■  2^  which  maps  each  move  to  the  set  of  states  in  which  it  is  enabled, 
and  a  partial  transition  function  S:  Q  x  Moves  — )■  2^  which  maps  each  move  m  and  each 
state  in  Enabled{m)  to  a  set  of  successor  states.  A  step  of  is  a  triple  q  q'  such  that 
q  G  Enabled{m)  and  q'  E  5{q,m).  A  run  of  E  is  an  infinite  sequence  r  =  505152  ...  of  steps 

Sj  =  qj  q'j  such  that  gj+i  =  g'  for  all  j  >  0.  The  corresponding  trace,  denoted  by  {(r)), 
is  the  infinite  sequence  {{qo}) {{qi)) {{Q2)) ...  of  observation  sets.  The  corresponding  trace  with 
observable  moves,  denoted  by  {{r))obs:  is  the  infinite  sequence  {{qo))rn^ {{qi))nri} {{q2))'rn^  ...  of 
alternating  observation  sets  and  moves.  For  a  state  q,  the  outcome  W  from  q  is  the  set  of 
all  runs  of  E  which  start  at  q.  For  a  set  R  of  runs,  we  write  {{R})  for  the  set  {{(r))  |  r  G  i?} 
of  corresponding  traces,  and  similarly  for  traces  with  observable  moves. 

2.1  Game  structures  and  the  LTL  control  problem 

A  (two-player)  game  structure  Q  =  {Q,Il,  {{■)),  Movesi,  Moves2,  Enabledi,  Enabled2,S)  con¬ 
sists  of  the  same  components  as  above,  only  that  Movesi  (respectively  Moves2)  is  the  set 
of  moves  of  player-1  (respectively  player-2),  Enabledi:  Movesi  — )■  2^ ,  Enabled2:  Moves2  — )■ 
2*3,  and  the  partial  transition  function  5:  Q  x  Moves i  x  Moves2  — )■  Q  maps  each  move 
mi  of  player-1,  each  move  m2  of  player-2,  and  each  state  in  Enabledi{mi)  fl  Enabled2{m2) 
to  a  set  of  successor  states.  For  i  =  1,2,  we  define  movf.  Q  — )■  to  yield  for 

each  state  q  the  set  movi{q)  =  {m  G  Movesi  \  q  G  Enabledi{m)}  of  player-*  moves 
that  are  enabled  in  q.  With  the  game  Q  we  associate  the  underlying  transition  structure 
Eg  =  iQ,U,{{  ■)),Movesi  X  Moves2,  Enabled,  5'),  where  Enabled  {mi,  m2)  =  Enabledi{mi)  fl 
Enabled2{m2)  and  5'{q,  {mi, m2))  =  5{q,mi,m2)- 

At  each  step  of  a  game,  player- 1  chooses  a  move  mi  which  is  enabled  in  the  current 
state  q,  player-2  independently  chooses  a  move  m2  which  is  enabled  in  q,  and  the  game 
proceeds  nondeterministically  to  a  new  state  in  5{q,mi,m2)-  Formally,  a  step  of  ^  is  a 
triple  q  q>  such  that  q  G  Enabledi{mi)  fl  Enabled2{m2)  and  q'  G  5{q,mi,m2)-  The 

runs  and  traces  (with  or  without  observable  moves)  of  games  are  defined  as  for  transition 
structures. 

A  strategy  for  player-*  is  a  function  ff  Q~^  — )■  Movesi  such  that  fi{w  ■  q)  G  movi{q) 
for  every  state  sequence  w  E  Q*  and  state  q  E  Q.  The  strategy  /j  is  memory-free  if 
fi{w  ■  q)  =  fi{w'  ■  q)  for  all  w,w'  G  Q*  and  q  E  Q.  Let  fi  and  /2  be  strategies  for  player-1 
and  player-2,  respectively.  The  outcome  R^j^  from  state  q  E  Q  for  the  strategies  fi  and 
/2  is  a  subset  of  the  runs  of  Q  which  start  at  q:  a  run  So5i52  ...  is  in  R^j^  if  for  all  j  >  0, 

m’ 

if  Sj  =  qj  2— q'p  then  mj  =  fi{qQqi  ■  ■  ■  qj)  for  *  =  1,2  and  qo  =  q.  The  formulas  of  linear 


4 


temporal  logic  (Ltl)  are  generated  inductively  by  the  grammar 

ip  ::=  TT  I  -■(/?  I  V  (/?2  I  I 

where  tt  is  an  observation  in  H.  The  Ltl  formulas  are  interpreted  over  the  traces  of  Q  in 
the  usual  way  [Eme90].  We  write  t  \=  p  ii  the  trace  t  satisfies  the  Ltl  formula  p.  Player-1 
can  control  the  state  g  G  Q  for  if  there  exists  a  strategy  /i  of  player- 1  such  that  for 
every  strategy  /2  of  player-2,  {(r))  |=  p  for  every  run  r  G  In  this  case,  we  say  that 

the  strategy  /i  witnesses  the  player- 1  controllability  of  q  for  p. 

The  Ltl  control  problem  asks,  given  a  game  structure  Q  and  an  Ltl  formula  </?,  which 
states  of  Q  can  be  controlled  by  player-1  for  p.  The  Ltl  controller  synthesis  problem  asks, 
in  addition,  for  the  construction  of  witnessing  strategies.  If  the  game  structure  Q  is  finite, 
the  Ltl  control  problem  is  PTiME-complete  in  the  size  of  Q  and  2ExPTiME-complete  in 
the  length  of  p  [Ros92,  AHK97].  While  for  simple  Ltl  formulas  such  as  safety  (Ott  for 
TT  G  n)  controllability  ensures  the  existence  of  memory-free  witnesses,  this  is  not  the  case 
for  arbitrary  Ltl  formulas  [Tho95]. 

2.2  State  equivalences  and  quotients  for  game  structures 

State  equivalences  on  transition  structures.  Consider  a  transition  structure  T  = 
(Q,n,{{  ■)),  Moves,  Enabled,  5).  A  binary  relation  A*  C  Q  x  Q  is  a  (forward)  simulation  if 
p  q  implies  the  following  two  conditions: 

1-  ((p))  =  uy. 

2.  Vm  G  mov{p).'ip'  G  5{p,m).  Bm'  G  mov{q).  Bq'  G  5{q,m').p'  q' . 

We  say  that  p  is  simulated  by  q,  in  symbols  p  q,  if  there  is  a  simulation  A*  with  p  A*  q. 
We  write  p  =‘^  q  if  both  p  q  and  q  p.  The  relation  =‘^  is  called  similarity.  A  binary 
relation  on  Q  is  a  bisimulation  if  is  a  symmetric  simulation.  Define  p  q  if  there 
is  a  bisimulation  with  p  q.  The  relation  is  called  bisimilarity.  A  binary  relation 
on  Q  is  a  backward  simulation  Up  q  implies  {(p))  =  {{q})  and  for  all  states  p',  for  all 
moves  m  G  mov{p')  such  that  p  G  5{p',m)  there  exists  a  state  q'  and  a  move  m'  G  mov{q') 
such  that  q  G  5{q',m')  and  p'  q'.  A  binary  relation  A*  on  Q  is  a  trace  containment  if 
p  q  implies  {{RP))  C  {{R‘^)).  Define  p  q  if  there  is  a  trace  containment  with  p  A*  q. 
We  write  p  q  if  both  p  q  and  q  p.  The  relation  is  called  trace  equivalence. 

We  also  define  stronger  versions  of  these  equivalences,  where  the  moves  are  observable. 
A  simulation  A*  has  observable  moves  if  condition  2  is  strengthened  to 

2a.  mov{p)  C  mov{q); 

2b.  Vm  G  mov{p).  'ip'  G  5{p,m).  Bq'  G  5{q',m).p'  q'. 

Similarity  with  observable  moves,  denoted  is  the  kernel  of  the  coarsest  simulation  with 
observable  moves;  and  bisimilarity  with  observable  moves,  is  the  coarsest  symmetric 

simulation  with  observable  moves.  Two  states  p  and  q  are  trace  equivalent  with  observable 
moves,  written  p  q,  if  {{RP))obs  =  {{R‘^))obs- 

Clearly,  refines  =‘^ ,  and  =‘^  refines  =^.  The  relations  with  observable  moves  refine 

the  corresponding  relations  without  observable  moves.  In  general,  all  refinements  are  proper. 

^Our  choice  to  control  for  Ltl  formulas  rather  than,  say,  w-automata  [Tho95]  is  arbitrary.  In  the  latter 
case,  only  the  complexity  results  must  be  modified  accordingly. 
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Alternating  state  equivalences  on  game  structures.  Consider  a  game  structure 

a  =  (Q,n,{{  •)),  Movesi,  Moves2,  Enabledi,  Enabled2,  S) 

The  following  definitions,  due  to  [AHKV98],  capture  various  notions  of  when  two  states 
have  the  same  controllability  properties.  A  binary  relation  C  Q  x  Q  is  an  alternating 
player- 1  simulation  ifp  g  implies 

1-  ((p))  =  m 

2.  G  movi{q).  3mi  G  movi{p).  Vm2  G  mov2{p)-  Vp'  G  S{p,mi,m2)-  3m2  G 
mov2{q)-  G  5{q,m[,m2).  p'  q'. 

Note  that  all  nondeterminism  in  the  outcome  of  a  game  is  controlled  by  the  adversarial 
player-2.  To  define  alternating  player-2  simulation,  switch  the  occurrences  of  1  and  2  in 
the  above  definition.  We  say  that  p  is  alternating  player-i  simulated  by  q,  denoted  p  A?  q, 
if  there  exists  an  alternating  player-i  simulation  such  that  p  q.  The  states  p  and 
q  are  alternating  player-i  similar,  denoted  p  =f  q,  if  p  A?  q  and  q  A?  p.  An  alternating 
player-i  bisimulation  is  a  symmetric  alternating  player-i  simulation  =^.  The  states  p  and 
q  are  alternating  player-i  bisimilar,  denoted  p  =f  q,  if  there  exists  an  alternating  player-i 
bisimulation  =\  such  that  p  =\  q. 

The  state  p  is  alternating  player- 1  trace  contained  by  q,  denoted  p  q,  if  for  every 
strategy  /i  of  player- 1,  there  exists  a  strategy  /{  of  player- 1  such  that  for  every  strategy 
of  player-2,  there  exists  a  strategy  /2  of  player-2  such  that  j,,))  C  {{R^j^  j^))-  To  define 
alternating  player-2  trace  containment,  switch  the  occurrences  of  1  and  2  in  the  above 
definition.  The  states  p  and  q  are  alternating  player-i  trace  equivalent,  denoted  p  q,  if 
P  Q  and  q  :<f  p. 

On  game  structures,  =f  refines  =f ,  and  =f  refines  =f"  [AHKV98].  Moreover,  alternat¬ 
ing  trace  equivalence  characterizes  Ltl  controllability. 

Proposition  2.1  [AHKV98]  Consider  two  states  p  and  q  of  a  game  structure.  If  p  :<f  q, 
then  for  every  Ltl  formula  cp,  if  player-i  can  control  p  for  cp,  then  player-i  can  also  control 
q  for  (p.  Conversely,  if  p  q,  then  there  exists  an  Ltl  formula  ip  such  that  player-i  can 
control  for  cp  at  p  but  not  at  q. 

However,  if  p  q,  then  in  order  to  control  for  some  Ltl  formula  ip,  player-i  may  have  to 
use  different  moves  at  p  and  q,  even  if  p  and  q  are  alternating  player-i  bisimilar.  This  is 
shown  by  the  game  structure  of  figure  1. 

Game  equivalences.  In  order  to  preserve  not  only  controllability,  but  also  the  moves 
of  the  controller,  we  define  alternating  state  equivalences  with  observable  moves;  they  are 
called  game  equivalences.  A  binary  relation  C  Q  x  Q  is  a  game  simulation  ifp  q 
implies  the  following  conditions: 

1-  ((p))  =  m 

2a.  movi{q)  C  movi{p)  and  mov2{p)  C  mov2{q)', 

2b.  Vmi  G  movi{q).  Vm2  G  mov2{p).  Vp'  G  5{p,  mi,  m2).  G  5{q' ,  mi,  m2). 

P'  Xbs 

Note  that  the  symmetry  of  the  quantifiers  implies  that  game  simulations  need  not  be  pa¬ 
rameterized  by  a  player.  A  relation  on  Q  is  a  game  trace  containment  if  p  q 
implies  that  for  all  strategies  fi  of  player- 1,  there  exists  a  strategy  /{  of  player- 1  such  that 
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(6,1) 

(a,  1) 

(6,2) 

(a,  2) 

(a.  2) 

(^,2) 

Figure  1:  Player-1  needs  to  use  different  moves  at  the  states  qi  and  q2  to  control  for  Dtt, 
even  though  qi  and  q2  are  alternating  player- 1  bisimilar. 

for  all  strategies  /o  of  player-2,  there  exists  a  strategy  /2  of  player-2  such  that  ,,  ))obs  ^ 

J  1  2 

{{R^f^  jJ)obs-  From  this,  game  similarity  game  bisimilarity  and  game  trace  equiv¬ 
alence  —gi)g  are  defined  in  the  familiar  way. 

It  is  not  difficult  to  check  that  refines  that  =gi)g  refines  =o(,g,  and  that  each 

game  relation  refines  the  corresponding  alternating  relations  for  both  players.  The  following 
proposition,  which  follows  immediately  from  the  definitions,  characterizes  the  game  equiv¬ 
alences  in  terms  of  the  underlying  transition  structure:  if  the  moves  are  observable,  then 
the  game  structure  can  be  flattened. 

Proposition  2.2  Two  states  p  and  q  of  a  game  structure  Q  are  game  bisimilar  (respectively, 
game  similar,  game  trace  equivalent)  if  p  and  q  are  bisimilar  (respectively,  similar,  trace 
equivalent)  with  observable  moves  in  the  underlying  transition  structure  Tq. 

We  will  now  show  that,  unlike  the  alternating  equivalences,  the  game  equivalences  on  a  game 
structure  suggest  quotient  structures  that  can  be  used  for  control.  Let  =  be  an  equivalence 
relation  on  Q  such  that  p  =  q  implies  p  q.  The  quotient  structure  Ql=  of  Q  with  respect 
to  =  is  the  game  structure  (Q/=,  If,  {{•))/=,  Movesi,  Moves2,  Enabledi/=,  Enahled2/=,  S/=)  with 

—  Ql=  =  {[(?]=  I  G  Q}  is  the  set  of  equivalence  classes  of  =; 

—  {{[(/]=))/=  =  {{(/))  (note  that  {{•))/=  is  well  defined  since  {{•))  is  uniform  across 
each  equivalence  class); 

—  [(?]=  G  Enabledi{m)/=  if  Bp  G  [q]^  .  p  G  Enabledi{m)  (note  that  this  is  equiv¬ 
alent  to  Vp  G  [q]-  .  p  G  Enabledifm)  since  =  refines  and  analogously 

for  Enabled2{m)/=; 

—  [q']=  G  S{[q]^,mi,m2)/=  if  Bp'  G  [q']^  .  Bp  G  [q]=.p'  G  d{p,mi,m2). 

The  following  proposition  reduces  control  on  Q  to  control  on  the  quotient  structure  Ql= . 

Proposition  2.3  Let  Q  he  a  game  structure  with  state  set  Q,  let  =  be  an  equivalence 
relation  on  Q  such  that  p  =  q  implies  p  q,  let  (p  be  an  Ltl  formula,  and  let  q  be  a 
state  of  Q.  Then  player- 1  can  control  q  for  ip  in  Q  iff  player- 1  can  control  [g]_  for  p  in  the 
quotient  structure  Ql=.  Moreover,  if  the  strategy  fi  witnesses  the  player- 1  controllability  of 
[g]^  for  p  in  Ql=,  then  the  strategy  f{  with  f{(po  ■  ■  -Pk)  =  fii[po]=  ■  ■  ■  [Pk]=)  witnesses  the 
player-1  controllability  of  q  for  p  in  Q. 
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2.3  Symbolic  algorithms  for  game  structures 

Consider  a  transition  structure  T  =  (Q,  11,  {{•)),  Moves,  Enabled,  5).  A  symbolic  representa¬ 
tion  T-Lj:  consists  of  the  state  and  observation  components  (Q,n,  {{•)))  of  T  together  with 
(1)  a  computable  function  pre:  2^  — )■  2^  on  state  sets,  which  maps  every  state  set  to  the 
set  of  predecessor  states 

pre{P)  =  {q  &  Q  \  3m  G  Moves.  Bp  G  5{q,  m).  p  G  P}, 

and  (2)  computable  boolean  operations  on  state  sets  (if  either  pre  or  a  boolean  operation 
is  not  computable,  then  P  has  no  symbolic  representation).  The  symbolic  representation 
gives  rise  to  fixpoint  algorithms  for  computing  the  bisimilarity  equivalence  (this 
algorithm  is  often  called  partition  refinement),  the  similarity  equivalence  [HHK95], 
and  given  an  observation  tt  G  If,  the  set  of  states  q  such  that  all  traces  in  {{R^})  satisfy 
the  invariant  Dtt  (compute  pre^  For  details  on  the  fixpoint  computations 

and  termination  conditions,  see  [Hen96].  Here,  we  simply  refer  to  the  three  algorithms  as 
algorithms  for  symbolic  bisimilarity,  symbolic  similarity,  and  symbolic  safety  checking. 

Now  consider  a  game  structure  Q  =  {Q,  H,  {{•)),  Movesi,  Moves2,  Enabledi,  Enabled2,  S). 
A  symbolic  representation  Rg  consists  of  the  state  and  observation  components  {Q,  H,  {{•))) 
of  Q  together  with  (1)  two  computable  functions  uprci,  upre2.  2^  — )■  2^  on  state  sets  such 
that 


uprei{P)  =  {q  &  Q  \  Vmi  G  movi{q).  3m  G  mov2{q).  Bp  G  5{q,  mi,  m2),  p  G  P} 

{upre2  is  defined  symmetrically),  and  (2)  computable  boolean  operations  on  state  sets.  If 
we  simply  replace  every  pre  operation  by  a  uprci  operation  in  the  algorithms  for  symbolic 
bisimilarity,  symbolic  similarity,  and  symbolic  safety  checking,  to  the  resulting  procedures 
we  refer  as  algorithms  for  symbolic  alternating  bisimilarity,  symbolic  alternating  similarity, 
and  symbolic  safety  control.  For  example,  the  algorithm  for  symbolic  safety  control  computes 
-1  Uj>o  ^pre^-iTr).  The  names  of  the  algorithms  are  justified  by  the  following  theorem. 

Theorem  2.1  1.  The  algorithm  for  symbolic  alternating  bisimilarity  terminates  when 

applied  to  a  symbolic  representation  Tig  of  a  game  structure  Q  whose  alternating  bisim¬ 
ilarity  quotient  is  finite.  If  the  algorithm  terminates,  its  output  is  =  f . 

2.  The  algorithm  for  symbolic  alternating  similarity  terminates  when  applied  to  a  sym¬ 
bolic  representation  TLg  of  a  game  structure  Q  whose  alternating  similarity  quotient  is 
finite.  If  the  algorithm  terminates,  its  output  is  =f. 

3.  If  the  algorithm  for  symbolic  safety  control  terminates  when  applied  to  a  symbolic 
representation  TLg  of  a  game  structure  Q,  its  output  is  the  set  of  states  of  Q  which 
player-1  can  control  for  Dtt. 


3  Rectangular  Games 

In  this  section,  we  apply  the  techniques  developed  in  the  previous  section  to  a  particular 
class  of  infinite-state  game  structures:  rectangular  hybrid  games.  For  infinite-state  games, 
algorithms  for  computing  control  strategies  must  either  proceed  symbolically  on  the  state 
space,  or  reduce  the  state  space  to  a  finite  quotient.  We  show  that  suitable  finite  quotients 


8 


do  exist  for  all  rectangular  games,  and  symbolic  algorithms  do  terminate  for  some  important 
cases  — timed/singular  games,  2d  rectangular  games,  and  rectangular  safety  games. 

We  generalize  the  rectangular  automata  of  [HKPV98]  to  rectangular  games,  which  are 
suitable  for  the  study  of  control  problems.  A  subset  of  M”  is  rectangular  if  it  is  the  cartesian 
product  of  n  intervals,  all  of  whose  (finite)  endpoints  are  rational.  For  the  sake  of  simplicity, 
in  this  abstract  we  restrict  ourselves  to  the  case  where  all  rectangles  are  closed  and  bounded.^ 
Let  denote  the  set  of  all  rectangles.  If  i?  is  a  rectangle,  denote  by  Ri  the  projection 
of  R  on  its  fth  co-ordinate,  so  that  R  =  *  =  15  2,  let  Movesf"^^  =  Movesi  l±) 

{time},  where  time  is  a  special  symbol  not  in  Movesi  or  Moves2-  A  rectangular  game  TZ  = 
(L,  X,  n,  {{•)),  Movesi,  Moves2,  Enabledi,  Enabled2,flow,  E,jump,  post)  consists  of  a  finite  set 
L  of  locations;  a  set  X  =  [xi, . . .  ,Xn}  of  real- valued  variables;  a  set  11  of  observations;  an 
observation  function  {{•))  :  L  — )■  2^;  for  i  =  1,2,  the  set  MoveSi  of  moves  of  player-*; 
for  *  =  1,2,  the  function  Enabled^  :  Movesf"^^  x  L  — )■  fH”,  which  specifies  for  each  move 
nii  of  player-*  and  each  location  i,  the  rectangle  in  which  is  enabled  when  control 
is  at  i;  the  function  flow  :  L  — )■  which  maps  each  location  ^  to  a  rectangle  which 

constrains  the  evolution  of  the  continuous  variables  when  control  is  at  i;  the  set  E  C 
(L  X  Movesi  X  Moves^"^'^  x  L)  U  (L  x  Movesi'^'^  x  Moves2  x  L)  of  edges  which  specifies  how 
control  may  pass  from  one  location  to  another;  the  function  jump  :  E  — )■  2l^’  '  ’”1  which 
maps  each  edge  to  the  indices  of  continuous  variables  which  are  reset  upon  jumping  along 
that  edge;  and  the  function  post  :  E  — )■  which  constrains  the  values  of  the  continuous 
variables  after  a  jump.  The  dimension  ofTZ  is  **,  the  number  of  continuous  variables.  Note 
that  for  some  set  {R^  \  £  E  L}  of  rectangles  Enabledi{time)r\Enabled2{time)  =  R^). 

We  therefore  define  the  invariant  region  inv{i)  of  location  I  to  be  Rf. 

Informally,  when  a  rectangular  game  is  in  state  {I,  x),  time  can  progress  as  long  as  both 
players  choose  time,  and  the  system  is  in  the  invariant  region  inv{i).  In  addition,  each 
player  is  allowed  to  choose  a  discrete  move  that  is  enabled  at  the  current  state.  During 
discrete  steps,  for  each  *  in  the  jump  set  jump{e),  Xi  is  nondeterministically  assigned  a  new 
value  in  the  postguard  interval  post{e)i.  For  each  *  ^  jump{e),  Xi  is  not  changed,  and  must 
lie  in  post{e)i.  Note  that  the  timed  games  of  [HW92,  MPS95,  AMPS98]  are  special  cases  of 
our  rectangular  games. 

As  an  example,  consider  an  assembly  line  scheduler  that  must  assign  each  element  from 
an  incoming  stream  of  parts  to  one  of  two  assembly  lines.  At  least  four  minutes  pass  between 

®The  general  case  can  be  treated  analogously  to  [HKPV98]. 
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the  arrivals  of  two  successive  parts.  The  two  assembly  lines  process  jobs  at  different  speeds: 
on  the  first  line,  a  job  moves  with  a  velocity  between  one  and  two  meters  per  minute, 
whereas  on  the  second  line,  a  job  moves  with  velocity  between  two  and  three  meters  per 
minute.  Jobs  must  travel  five  meters  on  the  first  line  and  six  meters  on  the  second.  Once 
an  assembly  line  finishes  a  job,  there  is  a  clean-up  phase,  which  introduces  a  delay  of  two 
minutes  for  the  first  line  and  three  minutes  for  the  second  line  before  the  line  can  accept 
a  new  job.  If  a  job  arrives  when  no  line  is  ready  to  accept  it  or  when  a  job  is  currently 
being  processed,  the  system  shuts  down.  We  wish  to  have  a  control  strategy  that  ensures 
that  the  system  never  shuts  down.  We  model  the  system  as  a  rectangular  game,  pictured 
in  figure  2.  The  states  are  idle,  to  indicate  that  no  request  is  being  processed,  linei  and 
line2,  to  indicate  which  line  is  processing,  and  shutdown.  The  continuous  variable  r  tracks 
the  time  since  the  last  arrival;  variables  li  and  I2  measure  the  amount  of  time  since  line  one 
and  line  two  completed  their  last  jobs;  and  variables  xi  and  X2  measure  the  distance  a  job 
has  travelled  along  line  one  and  line  two.  The  plant  has  a  single  move,  request,  which  alerts 
the  scheduler  to  the  arrival  of  a  new  job.  The  moves  of  the  scheduler  are  assigui,  assign2, 
and  done.  The  functions  Enabledi  and  post  can  be  inferred  from  the  guards  on  the  edges  in 
figure  2.  It  can  be  seen  that  a  strategy  which  assigns  jobs  first  to  one  assembly  line,  then  to 
the  other,  and  so  on,  ensures  that  the  system,  when  started  from  location  idle,  and  r  >  4, 
>  2,  ^2  >  2,  never  shuts  down.  It  can  also  be  seen  that  a  strategy  that  always  chooses 
the  same  line  does  not  work. 

We  now  formally  define  the  semantics  of  rectangular  games.  With  the  n-dimensional 
rectangular  game  TZ  we  associate  the  underlying  game  structure 

Gn  =  {L^  M”,  n,  {{•))',  Moves^!^^,  Moves^^^^ ,  Enabled i,Enabled2,  J) 
where  {{{1,'x.)))'  =  {{€)),  and  [E ,-x!)  G  5((i,x),mi,m2)  if  either 

—  [Time  step  of  duration  t  >  0]  i'  =  i,  (mi,  m2)  =  {time,  time)  and  x'  =  x  +  t -s, 

where  s  G  flow{i)  and  for  all  0  <  t'  <  t,  {x  +  t'  ■  s)  ^  inv{i); 

—  [Discrete  step]  there  exists  an  edge  e  =  {I,  mi,  m2,  E)  G  E  such  that  for 
i  =  1,2,  mi  ^  movi{i,x),  x'  G  post{e),  and  x'j  =  Xj  for  all  i  ^  jump{e). 

For  a  rectangular  game  TZ,  and  an  Ltl  formula  <f,  the  Ltl  control  problem  asks  which 
states  of  Qtz  can  be  controlled  for  cp.  Since  the  divergence  of  time  can  be  expressed  in  Ltl, 
when  studying  the  Ltl  control  problem  there  is  no  need  to  restrict  our  attention  to  the 
runs  of  a  rectangular  games  along  which  the  sum  of  durations  of  all  time  steps  diverges. 

Let  Xi  be  a  variable  of  a  rectangular  game  TZ.  The  variable  Xi  is  a  clock  if  for  each 
location  i,  flow{i)i  =  [1,1],  and  a  finite  slope  variable  if  for  each  location  i,  flow{i)i  is  a 
singleton.  The  rectangular  game  TZ  has  deterministic  jumps  if  for  each  edge  e,  and  each 
coordinate  i  G  jump{e),  the  interval  post{e)i  is  a  singleton.  The  rectangular  game  TZ  is 
initialized  if  for  every  edge  e  =  {i,  ■,  ■,£')  and  every  coordinate  i,  if  flow{i)  /  flow{i')  then 
i  G  jump{e).  If  TZ  has  deterministic  jumps,  then  7^  is  a  timed  game  if  every  variable  is  a 
clock,  and  7^  is  a  singular  game  if  every  variable  is  a  finite-slope  variable.  In  what  follows, 
we  shall  only  consider  initialized  rectangular  games  with  deterministic  jumps.^  Without 
loss  of  generality,  we  assume  that  all  constants  appearing  in  the  definition  of  a  rectangular 
game  are  integers. 

The  alternating  bisimilarity  (similarity,  language-equivalence)  quotient  of  a  rectangu¬ 
lar  game  TZ  is  defined  to  be  the  alternating  bisimilarity  (similarity,  language-equivalence) 

"'For  non-initialized  games,  the  reachability  problem  is  already  undecidable  [HKPV98]. 
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quotient  on  the  underlying  game  structure  Q-ji-  In  what  follows,  we  shall  speak  of  one  rect¬ 
angular  game  TZi  simulating  another  rectangular  game  7^2,  with  the  understanding  that 
this  refers  to  a  simulation  relation  on  the  disjoint  union  of  the  states  of  and  the  states 
of  Gn2  ■ 

3.1  Game  bisimilarity  for  singular  games 

To  see  that  every  singular  game  has  a  finite  game  bisimilarity  quotient,  we  first  define  region 
equivalence,  as  follows.  Let  a  =  (ui, . . .  ,  be  an  n-tuple  of  integers.  Let  fract{x)  denote 
the  fractional  part  of  x.  For  a  vector  x,  let  fract{x.)  denote  the  vector  whose  fth  coordinate 
is  fract{xi)).  Define  x  =a  y  iff  for  *  =  1,2,  (1)  [ujXjJ  =  [uiy^J ,  (2)  fract{aiXi)  =  0  iff 
fract{aiyi)  =  0,  and  (3)  for  j  /  *,  fract{aiX.i)  <  fract{ajX.j)  iff  fract{aiyi)  <  fract{ajy j) . 
Using  this,  we  define  the  region  equivalence  relation  on  the  states  of  a  singular  game 
[AD94,  ACH+95].  For  each  Xi  E  X,  let  Cj  denote  the  largest  rational  constant  with  which 
Xi  is  compared  in  the  singular  game.  Two  states  (^,  x)  and  are  region  equivalent  if 

(1)  I  =  I' ,  (2)  for  all  Xi  G  X,  either  [xjj  =  [x'J  or  both  [xjj  and  [x'J  are  greater  than 
Cj,  and  (3)  fract{x)  =a  fract{x.'),  where  Uj  =  ki  if  flow{i)xi  =  [ki,ki],  ki  /  0,  and  Uj  =  1  if 
ki  =  0.  Note  that  a  =  (1, 1, . . .  ,1)  for  a  timed  game. 

In  [AD94,  ACH+95],  it  was  shown  that  region  equivalence  is  a  bisimulation  for  all  timed 
and  singular  automata.  In  fact,  using  Proposition  2.2,  we  can  show  the  stronger  result  that 
region  equivalence  is  a  game  bisimulation  for  all  singular  games. 

Theorem  3.1  For  every  singular  game,  the  region  equivalence  refines  the  game  bisim¬ 
ilarity  =gi)g,  which  is  equal  to  the  alternating  hisimilarities  =f  for  both  i  =  1,2. 

Corollary  3.1  Every  singular  game  has  a  finite  quotient  structure  with  respect  to  game 
bisimilarity.  It  can  be  computed  by  the  algorithm  for  symbolic  alternating  bisimilarity,  which 
terminates  when  applied  to  singular  games. 

(It  should  be  noted  that  Proposition  2.2  indicates  an  alternative  way  of  symbolically  com¬ 
puting  =gi)g,  which  is  inferior,  however,  because  it  must  explicitly  handle  moves.)  The 
game  bisimilarity  quotient  of  a  singular  game  may  have  an  exponential  number  of  equiva¬ 
lence  classes  (regions).  Since  it  refines  game  trace  equivalence,  by  Proposition  2.3,  the  finite 
quotient  can  be  used  for  Ltl  controller  synthesis. 

Corollary  3.2  The  Ltl  control  problem  for  singular  games  is  Exptime- complete  in  the 
size  of  the  game  and  2Exptime- complete  in  the  length  of  the  Ltl  formula. 

Singular  games  are  a  maximal  class  of  hybrid  games  for  which  finite  alternating  bisimilarity 
quotients  exist.  In  particular,  there  exists  a  2d  rectangular  game  IZ  such  that  the  equality 
relation  is  the  only  alternating  player-1  bisimulation  on  [Hen95]. 

3.2  Game  similarity  for  2D  rectangular  games 

We  define  the  double-region  equivalence  relation  on  the  states  of  a  2d  rectangular  game 
as  the  intersection  of  two  region  equivalences,  as  follows.  Let  =«  and  =6  be  two  equivalence 
relations  as  defined  above.  Call  the  intersection  of  these  two  equivalence  relations  =a,b-  Let 
c  be  the  largest  rational  constant  that  appears  in  the  definition  of  the  2d  rectangular  game. 
For  a  location  I  with  flow{i)  =  [ai,6i]  x  [02,  b2],  let  la  =  (<32,^1)  and  li,  =  (62,  ni)-  Two 
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states  (^,  x)  and  {i',y)  of  a  2d  rectangular  game  are  double-region  equivalent,  in  symbols 
(^, x)  (^^y)^  if  (1)  and  (2)  fract{'x.)  =i^/^  fract{y),  and  (3)  for  *  =  1,2  either 

[xjj  =  [yjj  or  both  Xj  >  c  and  yi  >  c.  Note  that  the  number  of  equivalence  classes  of 
is  exponential  in  the  description  of  the  2d  rectangular  game. 

In  [HHK95],  it  was  shown  that  double- region  equivalence  is  a  simulation  for  all  2d 
rectangular  games.  In  fact,  using  Proposition  2.2,  we  can  show  the  stronger  result  that 
double-region  equivalence  is  a  game  simulation  for  all  2d  rectangular  games. 

Theorem  3.2  For  every  2d  rectangular  game,  the  double-region  equivalence  refines 
the  game  similarity  which  is  equal  to  the  alternating  similarities  =f  for  both  i  =  1,2. 

Corollary  3.3  Every  2d  rectangular  game  has  a  finite  quotient  structure  with  respect  to 
game  similarity.  It  can  be  computed  by  the  algorithm  for  symbolic  alternating  similarity, 
which  terminates  when  applied  to  2d  rectangular  games. 

The  game  similarity  quotient  may  have  an  exponential  number  of  equivalence  classes  (double¬ 
regions).  Since  the  game  similarity  quotient  refines  game  trace  equivalence,  by  Proposi¬ 
tion  2.3,  the  finite  quotient  can  be  used  for  Ltl  controller  synthesis. 

Corollary  3.4  The  Ltl  control  problem  for  2d  rectangular  games  can  be  solved  in  time 
exponential  in  the  size  of  the  game,  and  is  2Exptime- complete  in  the  length  of  the  Ltl 
formula. 

2d  rectangular  games  are  a  maximal  class  of  hybrid  games  for  which  finite  alternating 
similarity  quotients  exist.  In  particular,  there  exists  a  3d  rectangular  game  IZ  such  that  the 
equality  relation  is  the  only  alternating  player-I  simulation  on  [HK96]. 

3.3  Game  trace  equivalence  for  rectangular  games 

Although  initialized  rectangular  games  do  not  have  finite  alternating  similarity  quotients, 
we  can  show  that  they  have  finite  game  language-equivalence  quotients. 

To  prove  this,  we  sketch  how  to  translate  an  n-dimensional  rectangular  game  IZ  into  a 
2n-dimensional  singular  game  Sjz  such  that  IZ  and  Sjz  are  game  language  equivalent.  For 
details,  see  [HKPV98].  The  game  Sjz  has  the  same  vertex  set,  move  sets,  observables,  and 
observation  function.  We  replace  each  variable  Xi  of  IZ  by  two  finite-slope  variables  cioy,gr(i) 
and  C^pper(i)  such  that  when  floW-Tz{v){Xi)  =  [k lower,  k upper],  then  floWs.^{v){ciou,er{i))  = 
[ki  ower-i  Slower  ],  and  floWs.^(v)(Cupper{i))  —  \k upper ,  k upper]'  Intuitively,  the  variable  ciower(i) 
tracks  the  least  possible  value  of  Xi  and  the  variable  Cupper(i)  tracks  the  greatest  possible 
value  of  Xi.  With  each  edge  step,  the  values  of  the  variables  are  appropriately  updated  so 
that  the  interval  [ciower(i),Cupper(i)]  maintains  the  possible  values  of  Xi. 

To  prove  that  IZ  and  S-jz  are  game  trace  equivalent,  we  define  a  map  7  :  Qs-n  2*3^ 
which  maps  each  state  oiS^z  to  a  set  of  states  of  IZ,  by  x)  =  {fi\y-X\ff-i[xiou)er(i),^upper(i)]' 
Call  a  state  (^, x)  G  Qs-j^  an  upper-half  state  of  Spz  if  for  every  index  i  G  {I, . . .  ,n},  we 
have  xiou,er(i)  <  Xupper(i)'  Notice  that  we  are  only  interested  in  upper-half  states  of  S-tz-  We 
set  7(g)  =  0  if  g  is  not  an  upper-half  state  of  S-tz-  The  upper-half  space  of  S-tz  is  the  set  of 
all  upper-half  states.  In  [HKPV98],  it  was  shown  that  a  state  q  of  the  singular  game  Spz 
(forward)  simulates  with  observable  moves  any  state  p  G  7(g)  of  IZ,  and  any  state  p  G  7(g) 
backwards  simulates  q  with  observable  moves.  Prom  this,  we  have: 
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Lemma  3.1  Let  TZ  be  a  rectangular  game,  let  q  be  a  state  of  the  singular  game  S-ji,  and  let 
P  ^  7(9)  0,  corresponding  state  of  TZ.  Then  p  is  game  simulated  by  q,  and  q  is  backward 

game  simulated  by  p. 

The  above  result  also  holds  when  the  durations  of  the  time  moves  are  also  observable. 
Note  that  the  above  lemma  only  ensures  equivalence  for  finite  traces.  However,  since 
the  rectangles  used  in  the  definition  of  rectangular  games  are  compact,  it  follows  (as  in 
[HKPV98])  that  the  language  of  the  TZ  is  limit  closed®.  Hence,  the  above  lemma  is  sufficient 
to  show  game  trace  equivalence. 

Theorem  3.3  For  every  rectangular  game  TZ,  every  state  q  of  the  singular  game  Sjz,  and 
every  state  p  G  7(g)  of  TZ,  the  states  p  and  q  are  game  trace  equivalent. 

Since  the  singular  game  has  a  finite  game  trace  equivalence,  it  follows  that  the  rectangu¬ 
lar  game  TZ  also  has  a  finite  game  trace  equivalence.  The  game  trace-equivalence  quotient 
of  TZ  can  be  used  for  controller  synthesis  (Proposition  2.3).  It  may  have  an  exponential 
number  of  equivalence  classes  (corresponding  to  the  regions  of  5-^,). 

Corollary  3.5  Every  rectangular  game  has  a  finite  quotient  structure  with  respect  to  game 
trace  equivalence. 

Corollary  3.6  The  Ltl  control  problem  for  rectangular  games  is  2Exptime- complete  in 
the  size  of  the  game  and  2Exptime- complete  in  the  length  of  the  Ltl  formula. 

Rectangular  games  are  a  maximal  class  of  hybrid  games  for  which  finite  alternating  trace- 
equivalence  quotients  are  known  to  exist.  In  particular,  for  triangular  games,  where  some 
enabling  conditions  for  moves  have  constraints  of  the  form  Xi  <  Xj,  the  reachability  problem, 
and  therefore  the  safety  control  {cp  =  Ott)  problem,  are  undecidable  [HKPV98].  We  also 
note  that  the  shape  of  a  witnessing  strategy  for  the  Ltl  control  of  rectangular  games, 
even  for  the  safety  control  of  timed  games,  is  not  necessarily  rectangular,  but  may  require 
triangular  constraints  of  the  form  Xi  <  Xj  to  determine  which  move  to  apply  in  a  given 
state.  Hence,  the  synthesized  controller  may  not  be  implementable  as  another  rectangular 
automaton.  This  is  in  contrast  to  the  timed  case,  where  the  timed  automata  with  triangular 
enabling  conditions  are  reducible  to  finite  quotients  [AD94]  and  closed  under  controller 
synthesis  [MPS95,  AMPS98]. 

We  conclude  with  an  observation  that  is  important  for  making  the  control  of  rectangular 
games  practical.  For  the  safety  control  of  a  rectangular  game  TZ,  rather  than  constructing 
the  region  equivalence  quotient  of  Sjz,  it  is  computationally  much  preferable  to  iterate  a 
symbolic  uprci  operator  directly  on  TZ.  The  following  theorem  shows  that  this  iteration, 
which  is  being  implemented  in  HyTech,  always  terminates. 

Theorem  3.4  The  algorithm  for  symbolic  safety  control  terminates  when  applied  to  rect¬ 
angular  games. 

®An  w-language  L  is  limit  closed  if  for  every  infinite  word  p,  if  every  finite  prefix  of  p  is  a  prefix  of  some 
word  in  L,  then  p  is  in  L. 
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4  Conclusions 


Our  results  for  two-player  hybrid  games,  which  extend  also  to  multiple  players,  are  sum¬ 
marized  in  the  right  column  of  the  table  below.  They  can  be  seen  to  cleanly  generalize  the 
known  results  for  hybrid  automata  (i.e.,  single-player  hybrid  games),  which  are  summarized 
in  the  center  column.  The  number  of  equivalence  classes  of  all  finite  equivalences  in  the 
table  is  exponential  in  the  given  automaton  or  game.  The  infinitary  results  in  the  right 
column  follow  immediately  from  the  corresponding  results  in  the  center  column. 


Hybrid  automata  (single-player) 

Hybrid  games  (multi-player) 

Timed,  singular 

finite  bisimilarity 
[AD94,  ACH+95] 

finite  game  bisimilarity 

2d  rectangular 

infinite  bisim.,  finite  similarity 

infinite  alt.  bisim.,  finite  game 

[HHK95,  Hen95] 

similarity 

Rectangular 

infinite  sim.,  finite  trace  equiv. 

infinite  alt.  sim.,  finite  game  trace 

[HKPV98,  HK96] 

equiv. 

Triangular 

infinite  trace  equiv. 

[HKPV98] 

infinite  alt.  trace  equiv. 

14 


References 


[ACH+95] 

[AD94] 

[AHK97] 

[AHKV98] 

[AMPS98] 

[Eme90] 

[Hen95] 

[Hen96] 

[HHK95] 

[HHWT95] 

[HHWT98] 

[HK96] 

[HK97] 

[HKPV98] 

[HW92] 


R.  Alur,  C.  Courcoubetis,  N.  Halbwachs,  T.A.  Henzinger,  P.-H.  Ho,  X.  Nicollin,  A.  Oliv- 
ero,  J.  Sifakis,  and  S.  Yovine.  The  algorithmic  analysis  of  hybrid  systems.  Theoretical 
Computer  Science,  138:3-34,  1995. 

R.  Alur  and  D.L.  Dill.  A  theory  of  timed  automata.  Theoretical  Computer  Science, 
126:183-235,  1994. 

R.  Alur,  T.A.  Henzinger,  and  O.  Kupferman.  Alternating-time  temporal  logic.  In 
Proceedings  of  the  38th  Annual  Symposium  on  Foundations  of  Computer  Science,  pages 
100-109.  IEEE  Computer  Society  Press,  1997. 

R.  Alur,  T.A.  Henzinger,  O.  Kupferman,  and  M.Y.  Vardi.  Alternating  refinement  rela¬ 
tions.  In  D.  Sangiorgi  and  R.  de  Simone,  editors,  CONCUR  97:  Concurrency  Theory, 
Lecture  Notes  in  Computer  Science  1466,  pages  163-178.  Springer-Verlag,  1998. 

E.  Asarin,  O.  Maler,  A.  Pnueli,  and  J.  Sifakis.  Controller  synthesis  for  timed  automata. 
In  Proc.  IFAC  Symposium  on  System  Structure  and  Control,  pages  469-474.  Elsevier, 
1998. 

E.A.  Emerson.  Temporal  and  modal  logic.  In  J.  van  Leeuwen,  editor,  Pfandbook  of 
Theoretical  Computer  Science,  volume  B,  pages  995-1072.  Elsevier  Science  Publishers, 
1990. 

T.A.  Henzinger.  Hybrid  automata  with  finite  bisimulations.  In  Z.  Eiilop  and  E.  Gecseg, 
editors,  ICALP  95:  Automata,  Languages,  and  Programming,  Lecture  Notes  in  Com¬ 
puter  Science  944,  pages  324-335.  Springer-Verlag,  1995. 

T.A.  Henzinger.  The  theory  of  hybrid  automata.  In  Proceedings  of  the  11th  Annual 
Symposium  on  Logic  in  Computer  Science,  pages  278-292.  IEEE  Computer  Society 
Press,  1996. 

M.R.  Henzinger,  T.A.  Henzinger,  and  P.W.  Kopke.  Computing  simulations  on  finite 
and  infinite  graphs.  In  Proceedings  of  the  36rd  Annual  Symposium  on  Foundations  of 
Computer  Science,  pages  453-462.  IEEE  Computer  Society  Press,  1995. 

T.A.  Henzinger,  P.-H.  Ho,  and  H.  Wong-Toi.  A  user  guide  to  HyTech.  In  E.  Brinksma, 
W.R.  Cleaveland,  K.G.  Larsen,  T.  Margaria,  and  B.  Steffen,  editors,  TACAS  95:  Tools 
and  Algorithms  for  the  Construction  and  Analysis  of  Systems,  Lecture  Notes  in  Com¬ 
puter  Science  1019,  pages  41-71.  Springer-Verlag,  1995. 

T.A.  Henzinger,  P.-H.  Ho,  and  H.  Wong-Toi.  Algorithmic  analysis  of  nonlinear  hybrid 
systems.  IEEE  Transactions  on  Automatic  Control,  43(4):540-554,  1998. 

T.A.  Henzinger  and  P.W.  Kopke.  State  equivalences  for  rectangular  hybrid  automata. 
In  U.  Montanari  and  V.  Sassone,  editors,  CONCUR  96:  Concurrency  Theory,  Lecture 
Notes  in  Computer  Science  1119,  pages  530-545.  Springer-Verlag,  1996. 

T.A.  Henzinger  and  P.W.  Kopke.  Discrete-time  control  for  rectangular  hybrid  automata. 
In  P.  Degano,  R.  Gorrieri,  and  A.  Marchetti-Spaccamela,  editors,  ICALP  97:  Automata, 
Languages,  and  Programming,  Lecture  Notes  in  Computer  Science  1256,  pages  582-593. 
Springer-Verlag,  1997. 

T.A.  Henzinger,  P.W.  Kopke,  A.  Puri,  and  P.  Varaiya.  What’s  decidable  about  hybrid 
automata?  Journal  of  Computer  and  System  Sciences,  57:94-124,  1998. 

G.  Hoffmann  and  H.  Wong-Toi.  The  input-output  control  of  real-time  discrete-event 
systems.  In  Proceedings  of  the  13th  Annual  Real-time  Systems  Symposium,  pages  256- 
265.  IEEE  Computer  Society  Press,  1992. 


15 


[MPS95] 

[PBV96] 

[Ros92] 

[Tho95] 

[Tom98] 

[Won97] 


O.  Maler,  A.  Pnueli,  and  J.  Sifakis.  On  the  synthesis  of  discrete  controllers  for  timed 
systems.  In  E.W.  Mayr  and  C.  Puech,  editors,  STACS  95:  Theoretical  Aspects  of 
Computer  Science,  Lecture  Notes  in  Computer  Science  900,  pages  229-242.  Springer- 
Verlag,  1995. 

A.  Puri,  V.  Borkar,  and  P.  Varaiya.  e-approximation  of  differential  inclusions.  In 
R.  Alur,  T.A.  Henzinger,  and  E.D.  Sontag,  editors.  Hybrid  Systems  III,  Lecture  Notes 
in  Computer  Science  1066,  pages  362-376.  Springer-Verlag,  1996. 

R.  Rosner.  Modular  Synthesis  of  Reactive  Systems.  PhD  thesis,  Weizmann  Institute  of 
Science,  Rehovot,  Israel,  1992. 

W.  Thomas.  On  the  synthesis  of  strategies  in  infinite  games.  In  E.W.  Mayr  and  C.  Puech, 
editors,  STACS  95:  Theoretical  Aspects  of  Computer  Science,  Lecture  Notes  in  Com¬ 
puter  Science  900,  pages  1-13.  Springer-Verlag,  1995. 

C.  Tomlin.  Hybrid  Control  of  Air  Traffic  Management  Systems.  PhD  thesis.  University 
of  California  at  Berkeley,  1998. 

H.  Wong-Toi.  The  synthesis  of  controllers  for  linear  hybrid  automata.  In  Proc.  36th 
Conference  on  Decision  and  Control,  pages  4607-4612.  IEEE  Press,  1997. 


16 


